News & Press releases

A new round of the greeting card spam that draws visitors to a web site and tries to infect machines. MX Lab captured examples of the email with the subject line "You've received a postcard from a family member!" and contains a link to a malicious web site where JavaScript determines whether your browser has scripting enabled or turned off.

---

Good day.

Your family member has sent you an ecard from xxx.com.

Send free ecards from xxx.com with your choice of colors, words and music.

Your ecard will be available with us for the next 15-days. If you wish to keep
the ecard longer, you may save it on your computer or take a print.

To view your ecard, choose from any of the following options:

--------
OPTION 1
--------

Click on the following Internet address or
copy & paste it into your browser's address box.

http://xxx.xxx.xxx.xxx/?80d0229e368412571d7d41977bc649ea

--------
OPTION 2
--------

Copy & paste the ecard number in the "View Your Card" box at
http://xxx.xxx.xxx.xxx/

Your ecard number is
80d0229e368412571d7d41977bc649ea

Best wishes,
Postmaster,
xxx.com

---

If JavaScript is disabled, then they provide you a handy link and instructions to click on to exploit yourself. If Javascript is turned on you could be facing three exploits depending on which exploit can be used against your computer.

The first is an exploit against a QuickTime vulnerability, the second is an attack on the WinZip compression utility and the third is an exploit for the WebViewFolderIcon vulnerability in Windows that Microsoft patched last October.

Every emails leads to a server by an IP address that is changed quite frequently and gives a good indication that multiple servers are hosting the malware.

MX Lab has taken action to block these potentials emails even when the potential risk is indirect.